Announcement

Collapse
No announcement yet.

Fourth DC is not advertising as a global catalog

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fourth DC is not advertising as a global catalog

    Hello all,
    We have a root domain and 3 child domains. 4 DC's in the root. All of our DC's are global catalog servers. Except the new on we added 3 months ago. I am getting an error when I try to LDAP or LDAPS to it.
    It is running Windows 2016 Standard with a GUI. The firewall has been disabled temporarily when I am working on it. When I added it as a name server in DNS there was an error, Unknown error. It failed to validate. I clicked OK and it shows up in DNS as a name server. In AD sites and services it shows as a GC. When I run DCDIAG it tells me the server is not advertising as a global catalog. How can I fix this? Here is the DCDIAG output.
    C:\Windows\system32>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
    Trying to find home server...
    Home Server = DCUHCL3
    * Identified AD Forest.
    Done gathering initial info.

    Doing initial required tests

    Testing server: UHCL-Campus\DCUHCL3
    Starting test: Connectivity
    ......................... DCUHCL3 passed test Connectivity

    Doing primary tests

    Testing server: UHCL-Campus\DCUHCL3
    Starting test: Advertising
    Warning: DCUHCL3 has not finished promoting to be a GC.
    Check the event log for domains that cannot be replicated.
    Warning: DCUHCL3 is not advertising as a global catalog.
    Check that server finished GC promotion.
    Check the event log on server that enough source replicas for the GC are available.
    ......................... DCUHCL3 failed test Advertising
    Starting test: FrsEvent
    ......................... DCUHCL3 passed test FrsEvent
    Starting test: DFSREvent
    ......................... DCUHCL3 passed test DFSREvent
    Starting test: SysVolCheck
    ......................... DCUHCL3 passed test SysVolCheck
    Starting test: KccEvent
    A warning event occurred. EventID: 0x80000786
    Time Generated: 06/15/2017 13:57:55
    Event String:
    The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
    A warning event occurred. EventID: 0x80000786
    Time Generated: 06/15/2017 13:57:55
    Event String:
    The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
    A warning event occurred. EventID: 0x80000786
    Time Generated: 06/15/2017 13:57:55
    Event String:
    The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
    A warning event occurred. EventID: 0x80000786
    Time Generated: 06/15/2017 13:57:55
    Event String:
    The attempt to establish a replication link to a read-only directory partition with the following parameters failed.
    ......................... DCUHCL3 passed test KccEvent
    Starting test: KnowsOfRoleHolders
    ......................... DCUHCL3 passed test KnowsOfRoleHolders
    Starting test: MachineAccount
    ......................... DCUHCL3 passed test MachineAccount
    Starting test: NCSecDesc
    Ldap search capability attribute search failed on server DCUHCL3, return value = 81
    ......................... DCUHCL3 failed test NCSecDesc
    Starting test: NetLogons
    ......................... DCUHCL3 passed test NetLogons
    Starting test: ObjectsReplicated
    ......................... DCUHCL3 passed test ObjectsReplicated
    Starting test: Replications
    REPLICATION-RECEIVED LATENCY WARNING
    DCUHCL3: Current time is 2017-06-15 14:12:39.
    CN=Schema,CN=Configuration,DC=uhcl,DC=edu
    Last replication received from DCSCE2 at
    2016-03-28 11:57:05
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    CN=Configuration,DC=uhcl,DC=edu
    Last replication received from DCSCE2 at
    2016-03-28 11:57:05
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    DC=sce,DC=uhcl,DC=edu
    Last replication received from DCSCE2 at
    2016-03-28 12:41:21
    WARNING: This latency is over the Tombstone Lifetime of 60 days!
    ......................... DCUHCL3 passed test Replications
    Starting test: RidManager
    ......................... DCUHCL3 passed test RidManager
    Starting test: Services
    ......................... DCUHCL3 passed test Services
    Starting test: SystemLog
    An error event occurred. EventID: 0x00002720
    Time Generated: 06/15/2017 14:11:05
    Event String:
    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    ......................... DCUHCL3 failed test SystemLog
    Starting test: VerifyReferences
    ......................... DCUHCL3 passed test VerifyReferences


    Running partition tests on : Schema
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation

    Running partition tests on : Configuration
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... Configuration passed test CrossRefValidation

    Running partition tests on : uhcl
    Starting test: CheckSDRefDom
    ......................... uhcl passed test CheckSDRefDom
    Starting test: CrossRefValidation
    ......................... uhcl passed test CrossRefValidation

    Running enterprise tests on : uhcl.edu
    Starting test: LocatorCheck
    ......................... uhcl.edu passed test LocatorCheck
    Starting test: Intersite
    ......................... uhcl.edu passed test Intersite

    C:\Windows\system32>
    Thanks for your help

  • #2
    TBH, with multiple DCs in the root domain, I would just blow it away, do a metadata cleanup and start again. The time and effort it takes to troubleshoot far outweighs the effort to reinstate it (IMHO).

    What OS are the other DCs running?
    Have you extended the schema for 2016?
    What are your domain and forest FLs?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Thank you very much for your reply.
      I was thinking about doing that. This is also one of two DHCP servers but I can set that up again. The other OS's are Windows 2008 R2. We have not yet extended the schema. What are FL's
      If I remove DHCP and the GC role and gracefully demote the server, will I still need to clean up metadata?

      Comment


      • #4
        FLs are functional levels (domain and forest)

        You can try the demotion, but generally (IMHO) if there are problems with replication, demotion will fail, if so you need to remove the computer completely from the domain (destroy OS, delete account, clean up AD and DNS. The process is well documented e.g. https://www.petri.com/delete_failed_dcs_from_ad. DHCP should be removed properly

        As an aside, if you have your DHCP servers at 2012 or above, you can have failover (one scope synced between 2 DHCP servers) increasing availability: https://technet.microsoft.com/en-us/...(v=ws.11).aspx
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Thanks again for your help.
          I ended up demoting the DC and re-installing the OS. That only took a few hours which beats days of troubleshooting.
          I found some powershell commands that made the DHCP migration easy.
          http://windowsitpro.com/powershell-s...just-two-steps

          Comment


          • #6
            Well done, and you were lucky a demote worked!
            As you say, much less time than troubleshooting!
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              WARNING: This latency is over the Tombstone Lifetime of 60 days!
              CN=Configuration,DC=uhcl,DC=edu
              Last replication received from DCSCE2 at
              2016-03-28 11:57:05
              It's a bit late now but could this have just been caused by a Tombstone event? There is a Registry hack that can clear this and then turn Tombstoning back on again. So, in-case this happens again you could try the following first.

              Disable Tombstone
              Code:
              Windows Registry Editor Version 5.00
              
              [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
              
              "Allow Replication With Divergent and Corrupt Partner"=dword:00000001
              Force Replication

              Re-enable Tombstone.
              Code:
              Windows Registry Editor Version 5.00
              
              [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
              
              "Allow Replication With Divergent and Corrupt Partner"=dword:00000000
              1 1 was a racehorse.
              2 2 was 1 2.
              1 1 1 1 race 1 day,
              2 2 1 1 2

              Comment

              Working...
              X